shoki@meshuggeneh.net

The Shoki Packet Hustler

Introduction

The packet hustler (or hustler(1)) is a tool for visualisation of IP
network data. In particular, it is intended to be useful in allowing
an analyst to visually identify patterns in network traffic.

The code comprising hustler(1) was originally written as a diagnostic/testing
widget for use with cluster analysis code being written for the shoki
NIDS. It is difficult to evaluate the `goodness' of a new n-dimensional
cluster model without some way of visualising the data; hustler(1) started
out as a way of looking at what all the cluster numbercrunching was doing.

The clustering code is still being worked on, but it is believed that the
current incarnation of hustler(1) is interesting in its own right. Later
versions will hopefully include more automated analysis widgetry, rather
than merely being a graphical frontend for doing (largely manual) analysis.

In the current rev, hustler(1) will probably be primarily of interest
to analysts interested in developing statistical models of network traffic.
It's also a pretty cool toy for just looking at network traffic.

For the record, the name has a threefold derivation, presented in no
particular order:

Names like `packet browser' or `packet navigator' tended to
suggest themselves, but were rejected as sounding misleadingly
like a web-based widget.

Plots involving lots and lots of packets, using the default
colour scheme, tend to end up looking like something created
by an astronomy widget. This (somehow or other) suggested a
reference to Jack Horkheimer's old PBS series `Jack Horkheimer:
Star Hustler'. The show is currently called `Jack Horkheimer:
Star Gazer', the name change presumably related to...

The obvious porn magazine reference. In this case, the
idea of `packet porn'---staring at packets presented in suggestive
poses but not actually being able to do anything with them---seemed
oddly appropriate.

First of all, as of the time of this writing hustler(1) doesn't
actually do much of anything. Beyond the underlying signature
matching which is done (via shoki filter rules), hustler(1) doesn't
actually do any analysis. It won't tell you when something is suspicious.
It just shows you the data, and you need to be able to do the analysis
yourself.

The code is also pretty new. Read: probably chock full 'o bugs.

The code also has lots of dependencies on third party libraries. In
particular, it relies on a lot of GUI stuff (GTK+, gtkglext, and OpenGL).
In general, you probably won't have all of the dependencies installed on
the machine(s) that normally handle your NIDS data. This means that in
order to use hustler(1), you'd have to either install a bunch of stuff on
your NIDS box(-en), or move the data to some other host. Neither of
these alternatives is particularly attractive.

There is very little interface chrome, and no online help in the application.
Translation: it aint' very user friendly.

It is pretty resource hungry. A lot of packet data is kept in memory,
so as you increase the number of packets (and the number of filters), your
memory usage goes up.

Any and all comments, questions, and suggestions (about hustler(1) or about
shoki in general) are welcome. Don't hesitate to send mail to
shoki@meshuggeneh.net or
directly to the primary author
spb@meshuggeneh.net.